Anti-Impersonation Techniques Using Device-Context Information and User Behavior Information

1. A method, comprising: receiving from a client computer, by one or more computing devices, device-context information from a session, wherein the session includes a time period where a user of the client computer is performing an activity on the client computer; receiving from the client computer, by the one or more computing devices, user behavior information from the session, wherein the user behavior information comprises information on ways the user uses user input devices for the client computer during the session; generating, by the one or more computing devices, a first feature vector for the device-context information and a second feature vector for the user behavior information; comparing, by the one or more computing devices, the first feature vector against a first model of historical device-context information from previous sessions of the user or other users, wherein the previous sessions relate to the session, and wherein the comparison of the first feature vector against the first model provides a first level of deviation of the first feature vector from the first model; comparing, by the one or more computing devices, the second feature vector against a second model of historical user behavior information from the previous sessions, wherein the comparison of the second feature vector against the second model provides a second level of deviation of the second feature vector from the second model, the first level of deviation and the second level of deviation compensating a possibility of a false positive authentication effect of each other; determining, by the one or more computing devices, whether the session is anomalous or normal according to the first level of deviation and the second level of deviation; and performing, by the one or more computing devices, a security action in response to determining the session is anomalous.

2. The method of claim 1 , further comprising: generating, by the one or more computing devices, a combined feature vector comprising the first feature vector and the second feature vector; comparing, by the one or more computing devices, the combined feature vector against a combined meta-model of the historical device-context information and the historical user behavior information from the previous sessions, wherein the comparison of the combined feature vector against the combined meta-model provides a combined level of deviation of the first feature vector from the first model and the second feature vector from the second model; and determining, by the one or more computing devices, whether the session is anomalous or normal according to the combined level of deviation.

3. The method of claim 1 , wherein the comparing the first feature vector against the first model to provide the first level of deviation occurs prior to the comparing the second feature vector against the second model to provide the second level of deviation, and wherein the method comprises: determining, by the one or more computing devices, whether the session is anomalous or normal according to the first level of deviation only; and performing the security action, without the determination that the session is anomalous or normal according to the second level of deviation, in response to determining the session is anomalous according to the first level of deviation.

4. The method of claim 1 , wherein the comparing the second feature vector against the second model to provide the second level of deviation occurs prior to the comparing the first feature vector against the first model to provide the first level of deviation, and wherein the method comprises: determining, by the one or more computing devices, whether the session is anomalous or normal according to the second level of deviation only; and performing the security action, without the determination that the session is anomalous or normal according to the first level of deviation, in response to determining the session is anomalous according to the second level of deviation.

5. The method of claim 1 , further comprising: generating, by the one or more computing devices, a parametric linear combination according to the first level of deviation and the second level of deviation; and determining, by the one or more computing devices, whether the session is anomalous or normal according to the parametric linear combination.

6. The method of claim 5 , wherein the parametric linear combination comprises a prediction of the first model and a prediction of the second model, and wherein the predictions of the models are defined by c , b ∈[0,1].

7. The method of claim 6 , further comprising unifying the predictions of the models using a linear convex combination, wherein the linear convex combination is defined by t =α c c , +α b b , and wherein α c , α b ∈[0,1] are coefficient parameters of each model.

8. The method of claim 7 , wherein a summation of the coefficient parameters equals one or one hundred percent.

9. The method of claim 1 , further comprising generating each one of the first and second models using machine learning.

10. The method of claim 9 , further comprising generating each one of the first and second models using random decision forests.

11. The method of claim 9 , wherein the generating the first and second models comprises generating a respective set of ratios of observations for each of the first and second models, and wherein each ratio of observations for a field of a feature category is divided by a summation of all observations of the feature category.

12. The method of claim 11 , further comprising normalizing each ratio of observations in the first and second models.

13. The method of claim 11 , further comprising, for each of the feature category that is cyclical, determining closeness of different fields in the feature category using convolution.

14. The method of claim 13 , wherein the cyclical feature categories comprise temporal categories.

15. The method of claim 1 , further comprising: updating the first model according to the first feature vector; and updating the second model according to the second feature vector.

16. The method of claim 15 , wherein the updating of the first and second models occur after the comparing the first feature vector against the first model and the comparing of the second feature vector against the second model.

17. The method of claim 1 , wherein the session comprises a login session.

18. The method of claim 1 , wherein the session consists of a login session.

19. A non-transitory computer-readable storage medium comprising instructions that, when executed by a processing device, cause the processing device to: receive, from a client computer, device-context information from a session, wherein the session includes a time period where a user of the client computer is performing an activity on the client computer; receive, from the client computer, user behavior information from the session, wherein the user behavior information comprises information on ways the user uses user input devices for the client computer during the session; generate a first feature vector for the device-context information and a second feature vector for the user behavior information; compare the first feature vector against a first model of historical device-context information from previous sessions of the user or other users, wherein the previous sessions relate to the session, and wherein the comparison of the first feature vector against the first model provides a first level of deviation of the first feature vector from the first model; compare the second feature vector against a second model of historical user behavior information from the previous sessions, wherein the comparison of the second feature vector against the second model provides a second level of deviation of the second feature vector from the second model, the first level of deviation and the second level of deviation compensating a possibility of a false positive authentication effect of each other; determine whether the session is anomalous or normal according to the first level of deviation and the second level of deviation; and perform a security action in response to determining the session is anomalous.

20. A computer system, comprising: a processing device; and memory in communication with the processing device and storing instructions that, when executed by the processing device, cause the processing device to: receive, from a client computer, device-context information from a session, wherein the session includes a time period where a user of the client computer is performing an activity on the client computer; receive, from the client computer, user behavior information from the session, wherein the user behavior information comprises information on ways the user uses user input devices for the client computer during the session; generate a first feature vector for the device-context information and a second feature vector for the user behavior information; compare the first feature vector against a first model of historical device-context information from previous sessions of the user or other users, wherein the previous sessions relate to the session, and wherein the comparison of the first feature vector against the first model provides a first level of deviation of the first feature vector from the first model; compare the second feature vector against a second model of historical user behavior information from the previous sessions, wherein the comparison of the second feature vector against the second model provides a second level of deviation of the second feature vector from the second model, the first level of deviation and the second level of deviation compensating a possibility of a false positive authentication effect of each other; determine whether the session is anomalous or normal according to the first level of deviation and the second level of deviation; and perform a security action in response to determining the session is anomalous.